The existence of the computers and the level of usage in almost all businesses and companies has increased the need for an efficient and more robust technique to Auditing what goes through the computer by way of inputs and what comes out by way of output.
The computer has been with us right from its first development and form in the early 20th century. However, right from the 1980s to the millennial, the use of computer networks and internet connectivity has brought about a whole new level of risks associated with the use of computers.
Computers have been exposed to a lot of risks over the years in different forms either by way of gaining unauthorized access, hacking or other forms of malicious attacks including eavesdropping and identity theft.
These attacks expose the usage of computers in Finance, storage, communication and information systems. Hence, the need for a more robust process for Auditing how the inputs are processed through the computer as well as round the computer.
The International Auditing and Assurance Standards Board earlier issued the Standard on Auditing ISA401, Auditing in a Computer Information Systems Environment. The standard described the processes involved in providing assurances on risk assessments affecting the computer environment.
Understanding the Computer Information System (CIS) environment and how it affects the Audit process
The purpose of Auditing does not change in the CIS environment. It is also important to understand if the CIS is employed by the entity or by a third party.
In understanding the CIS, the Auditor should;
a. Understand the operations and transactions carried out by the entity and how it significantly impacts the financial statement
b. The Auditor should obtain the procedures of the information technology (IT) and manual systems, by which those transactions are initiated, recorded, processed, corrected or reversed as necessary, transferred to the general ledger and reported in the financial statements;
c. The related accounting records, supporting information and specific accounts in the financial statements that are used to initiate record process and report transactions; this includes the correction of incorrect information and how information is transferred to the general ledger. The records may be in either manual or electronic form
Skills & Competence
The Auditor should possess the necessary skills and knowledge required to Audit the computer information system. Hence, the Auditor is expected to plan the Audit, Direct and Supervise the Audit process and review the work performed. The process must be such that it identifies the inherent risks and control risks associated with the Computer Information.
System (CIS). The use of Computer Assisted Techniques (CAAT) reinforces the need for the Auditor to be familiar with the Computer Information System.
Planning the Audit
The Auditor is expected to carry out a Risk assessment of the Internal controls and Accounting procedures sufficient to approach the Audit. Hence, availability of data, source documents, computer files is crucial to understanding the CIS. As part of the risk assessment, the auditor shall determine whether any of the risks identified are, in the auditor’s judgment, significant risk. In exercising this judgment, the auditor shall exclude the effects of identified controls related to
The Auditor should identify the risks throughout the Audit process and the controls that relate to the risk. Assess the risks and evaluate the risks as it relates to the financial statement.
Relate the risk to what can go wrong at the assertion level, taking account of the relevant controls that the Auditor intends to test and the likelihood for material misstatements.
The Auditor should consider the CIS in designing the Audit procedure. The objective of the Audit does not change whether the accounting data is processed manually or by the computer. The method of applying Audit procedures to gather evidence may be influenced by the method of computer processing. The Auditor may use either manual audit procedures, computer assisted audit technique or a combination of both to obtain sufficient evidential matter. It may be impossible or difficult for the auditor to obtain certain data for inspection, inquiry or confirmation without computer assistance in some accounting information systems.
Analytical procedures performed as risk assessment procedures may identify aspects of the entity of which the auditor was unaware and may assist in assessing the risks of material misstatement in order to provide a basis for designing and implementing responses to the assessed risks.
Analytical procedures performed as risk assessment procedures may include both financial and non-financial information, for example, the relationship between Interest Income and volume of Loan disbursed.
The use of analytical procedures may also help to identify the existence of unusual transactions or events, amounts, ratios, and trends that might indicate matters that have audit implications. Unusual or unexpected relationships that are identified may assist the auditor in identifying the risks of material misstatements, especially risks due to fraud.
The discussion among the engagement team about the susceptibility of the entity’s financial statements to material misstatement
This Provides an opportunity for more experienced engagement team members, including the engagement partner, to share their insights based on their knowledge of the entity.
Ø Allows the engagement team members to exchange information about the business risks to which the entity is subject and about how and where the financial statements might be susceptible to material misstatement due to fraud orerror.
Ø Assists the engagement team members to gain a better understanding of the potential for material misstatement of the financial statements in the specific areas assigned to them, and to understand how the results of the audit procedures that they perform may affect other aspects of the audit including the decisions about the nature, timing and extent of further audit procedures.
Ø Provides a basis upon which engagement team members communicate and share new information obtained throughout the audit that may affect the assessment of risks of material misstatement or the audit procedures performed to address these risks
Information technology (IT) is integral to modern accounting and management information systems. It is, therefore, imperative that auditors should be fully aware of the impact of IT on the audit of a client’s financial statements, both in the context of how it is used by a client to gather, process and report financial information in its financial statements, and how the auditor can use IT in the process of auditing the financial statements. (ACCA).